Request
Vault Forward acts as a proxy to your third-party endpoint. You send the request to the Gr4vy API instead of directly to the downstream service, with a few adjustments:- Send the request to
POST /vault-forwardinstead of the downstream URL. - Replace any PCI data in the body with template placeholders, for example
{{ CARD_NUMBER_1 }}. - Add control headers to specify which cards to forward and where to send the request.
- Prefix any downstream headers with
x-vault-forward-header-.
Request headers
| Header | Required | Description |
|---|---|---|
x-vault-forward-url | Yes | HTTPS URL to forward the request to. The host must be enabled in production. |
x-vault-forward-http-method | Yes | HTTP method to use: POST, PUT, or PATCH. |
x-vault-forward-payment-methods | Yes* | Comma-separated list of payment method IDs. At least 1, no duplicates. Only card payment methods are accepted. |
x-vault-forward-checkout-session | Yes* | Checkout session ID. If set, x-vault-forward-payment-methods can be omitted. Use to forward a CVV. |
x-vault-forward-header-{HEADER_NAME} | No | A header to forward to the downstream endpoint. For example, set x-vault-forward-header-authorization to forward an authorization header. |
x-vault-forward-timeout | No | Timeout for the forwarded request in seconds. Defaults to 30. |
x-vault-forward-payment-methods or x-vault-forward-checkout-session — at least one is required.
Payload placeholders
Replace PCI data in the request body with placeholders using{{ PLACEHOLDER }} syntax. The X suffix is the 1-based index of the payment method in the x-vault-forward-payment-methods list.
| Placeholder | Description |
|---|---|
CARD_NUMBER_X | The card number (PAN). |
CARD_EXPIRATION_DATE_X | Expiration date in MM/YY format. |
CARD_EXPIRATION_DATE_M_X | Expiration month, non-zero-padded (1–12). |
CARD_EXPIRATION_DATE_MM_X | Expiration month, zero-padded (01–12). |
CARD_EXPIRATION_DATE_YY_X | Expiration year without century (00–99). |
CARD_EXPIRATION_DATE_YYYY_X | Expiration year with century (for example 2025). |
CARD_SECURITY_CODE_X | Security code (CVV). Only available via Secure Fields and checkout sessions. |
Authentication
Pass your downstream API credentials through headers using thex-vault-forward-header- prefix:
Response
HTTP status code
Any validation error before forwarding returns a4XX status. In all other cases — including when the downstream service returns an error — the status is 200.
Response headers
| Header | Description |
|---|---|
content-type | Content type of the downstream response, forwarded as-is. |
x-vault-forward-http-status-code | HTTP status code returned by the downstream endpoint. |
x-vault-forward-header-{HEADER_NAME} | Response headers from the downstream endpoint (except content-type). For example, x-vault-forward-header-x-frame-options. |
x-vault-forward-error | Error string if no response was received, for example on timeout or network failure. |
Payload
The raw downstream response body is returned as-is. Empty if no response was received.Examples
Explore further
CVV & Secure Fields
Forward a security code collected via Secure Fields or a checkout session
3DS forwarding
Forward 3DS authentication data alongside card details
Network token forwarding
Forward network tokens and cryptograms to third-party endpoints
Advanced authentication
Configure request signing, mutual TLS, or payload encryption
Enable an endpoint
Allow a specific host to receive forwarded PCI data in production